Considering all the other news, the latest Facebook data breach, which was revealed in September, may have gone relatively unnoticed. But with the data of at least 50 million accounts exposed, amid concern that the vulnerability could ripple around the internet, what is being called the largest data breach in the social media company’s 14-year history is deeply disturbing. In the United States, some users have filed a class-action complaint in a court against Facebook.
Here is a quick primer on what we know about the breach, why it is different from the Cambridge Analytica scandal and what it might mean for social media users.
What do we know about the data breach?
On September 28, Facebook announced that an attack on its network had led to the personal information of at least 50 million accounts being exposed. It said the hackers had breached Facebook’s code and stolen “access tokens”, which are the digital keys to users’ profiles. In simple words, these tokens are partial replicas of the users’ personal data.
The code was found in a feature called “View As”, which allows Facebook users to see what their profile might look like to another user. Once the breach was discovered, Facebook took down the feature temporarily. It also reset the access tokens, which meant that all those accounts that were affected by the attack were logged out, and the users had to log back into Facebook.
Crucially, Facebook does not yet seem to know who was behind the attack or even what the impact of it will be. “Our investigation is still in its early stages.” said Guy Rosen, vice-president of product management at Facebook. “But it’s clear that attackers exploited a vulnerability in Facebook’s code.”
What are the challenges to Facebook?
Considering the magnitude of the attack, there are important questions that are as yet unanswered:
- Who was behind the attack?
Facebook’s security team is actively trying to answer this question. So far, based on statements made publicly, it does not seem to have been very successful.
- Was the attack limited to just the 50 million users Facebook has mentioned so far?
In addition to logging the 50 million accounts out, Facebook also re-set the access tokens of another 40 million users that it believed may have been at risk, suggesting that more details about the attack may still come out.
- Most importantly, what is the impact of the attack? Were the accounts misused?
Answering this question will be much harder, considering a senior Facebook executive called the attackers an “odourless, weightless intruder that walked in”. This is one of the key questions that is yet to be answered.
How is it different from the Cambridge Analytica scandal?
Although both are major security concerns for Facebook, there is a fundamental difference.
In the Cambridge Analytica incident, users voluntarily gave their data to Facebook, which was then shared with third parties without their consent. In that sense, it was a breach of ethics on the part of Cambridge Analytica, a British political consulting firm. Cambridge Analytica had worked on Donald Trump’s campaign for the 2016 presidential elections in the United States and harvested the public data of millions of Facebook users to target them with personalised political advertisements. But it did not involve any hacking.
In this case, the hackers exploited a vulnerability in Facebook’s security structures, allowing them to gain access to the entire account – so even data that users thought was private may have been exposed.
In the Cambridge Analytica case, no data related to the credentials of users was leaked. As Facebook said in March this year, “The claim that this is a data breach is completely false... People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
On the other hand, the current attack is a data breach, and the extent of the damage it has caused is still unclear.
What else do I need to know?
The impact of the attack may go far beyond just Facebook. This is because the vulnerability extends to a number of websites and apps that allow you to log in using your Facebook address and password. Many websites do this because it is seen as an easy way to build a secure log-in process. But this reliance on Facebook also means that any time the social media network is attacked, it could affect the other websites and apps as well.
If you used an “easy” login process to sign into other applications called Facebook Connect, which allows users to log in using their Facebook credentials, then there is a likelihood that your third-party apps data might have also been breached.
For now, the complete impact of the data breach is yet to be determined. But Facebook said in its blog post on Tuesday, “We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”
How has the Indian government reacted?
The Information and Technology Ministry has sought an “update” from Facebook on the attack, mainly on how it has impacted Indian users, said a report in the Business Standard citing senior information technology officials. Legally, for now, Facebook can be sued for damages under Sections 43 and 43 (a) of the Information Technology Act, according to Pavan Duggal, a lawyer who specialises in cyber law. “Facebook has to be tightening its belt, as it can be sued for damages and criminal charges – with breach of trust, and having no adequate mechanism for prevention,” Duggal told Scroll.in.
The government had sought to take action against Facebook after the Cambridge Analytica scandal, with Union Information Technology Minister Ravi Shankar Prasad warning the social media company that stringent action would be taken against it if it was found that the data of Indian users had been compromised. In August, the government ordered a Central Bureau of Investigation inquiry into whether Cambridge Analytica had picked up data from Global Sciences Research, the company that harvested the Facebook data and shared it with the British firm.
Was your account hacked?
If you were logged out of your Facebook account, then it could be because Facebook changed your access tokens, which in turn means you might be among the 50 million users who were attacked. But Facebook also changed the access tokens of an additional 40 million users who used the “View As” feature last year, and may have been vulnerable.
If you are still worried about the attack, here is what you can do to secure your account:
- Do an account audit: Check your account’s settings and click on “Security and Login”, look for an option called “Where You’re Logged in”, and check whether there is any suspicious device in your login sessions.
- Change password and set up two-factor authentication: Ideally, you should change your password every couple of months, but if you cannot, a two-factor authentication would be a good step to secure your account. You can set up two-factor authentication on the “Security and Login” page. Select “Use Two-Factor Authentication”, which will enable a One Time Password-based mobile login for your device.